check point sandblast mobile uem integration guide with ... · 3....

Check Point SandBlast Mobile

UEM Integration Guide with BlackBerry UEM

Classification:None

Version: 3.0

© 2018 Check Point Software Technologies Ltd. All rights reserved.

This product and related documentation are protected by copyright and distributed under licensing

restricting their use, copying, distribution, and recompilation. No part of this product or related

documentation may be reproduced in any form or by any means without prior written authorization of

Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes

no responsibility for errors or omissions. This publication and features described herein are subject to

change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)

(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR

52.227-19.

TRADEMARKS:

Refer to the Copyright page http://www.checkpoint.com/copyright.html for a list of our trademarks.

Refer to the Third Party copyright notices http://www.checkpoint.com/3rd_party_copyright.html for a list of

relevant copyrights and third-party licenses.

Check Point and SandBlast are registered trademarks of Check Point Software Technologies Ltd. All rights

reserved. Android and Google Play are trademarks of Google, Inc. App Store is a registered trademark of

Apple Inc. iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain

other countries. iOS® is used under license by Apple Inc. BlackBerry, BES, BES12, UEM, and UEM Client

are registered trademarks of BlackBerry Limited and/or its subsidiaries.

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEM

© 2018CheckPoint Software TechnologiesLtd. All rights reserved. | P. ii

October 17, 2018

http://www.checkpoint.com/copyright.html

http://www.checkpoint.com/3rd_party_copyright.html

About This GuideCheck Point SandBlast Mobile 3.0 is themost complete threat defense solution designed to prevent emergingfifth generation cyber attacks and allow workers to safely conduct business. Its technology protects againstthreats to the OS, apps, and network, scoring the industry’s highest threat catch rate without impactingperformance or user experience.

Only SandBlast Mobile 3.0 delivers threat prevention technology that:

Performs advanced app analysis to detect known and unknown threatsPreventsman-in-the-middle attacks on both cellular andWiFi networksBlocks phishing attacks on all apps: email, messaging, social mediaPrevents infected devices from sending sensitive data to botnetsBlocks infected devices from accessing corporate applications and dataMitigates threats without relying on user action or mobile management platforms

SandBlast Mobile 3.0 uses a variety of patent-pending algorithms and detection techniques to identifymobiledevice risks, and triggers appropriate defense responses that protect business and personal data.

The SandBlast Mobile solution ("the Solution") includes the following components:

SandBlast Mobile Behavioral Risk Engine ("the Engine")SandBlast Mobile Gateway ("the Gateway")SandBlast Mobile Management Dashboard ("the Dashboard")SandBlast Mobile Protect app ("the App") for iOS and Android

When used with an Unified Endpoint Management (UEM) system, such as BlackBerry UEM, SandBlast Mobileprovides integral risk assessment of the device to which the UEM can use to quarantine or enforce a set ofpolicies that are in effect until the device is no longer at risk. Such policy enforcement could be to disable certaincapabilities of a device, such as blocking access to corporate assets, such as email, internal websites, etc., thus,providing protection of the corporation’s network and data frommobile-based threats.

This guide first describes how to integrate the SandBlast Mobile Dashboard with BlackBerry UEM. It provides aquick tour through the interface of the BlackBerry UEMConsole and the SandBlast Mobile Dashboard in orderenable integration, alerting, and policy enforcement.

This includes activation and protection of a new device, malware detection, andmitigation (includingmitigationflow).

© 2018CheckPoint Software TechnologiesLtd. All rights reserved. | P. iii

October 17, 2018


Solution Architecture

Component Description

1 SandBlast MobileProtect app

The SandBlast Mobile Protect app is a lightweight app for iOS® and Android™ that gathersdata and helps analyze threats to devices in an Enterprise environment. It monitors operatingsystems and information about apps and network connections and provides data to theSolution which it uses to identify suspicious or malicious behavior.To protect user privacy, the App examines critical risk indicators found in the anonymizeddata it collects.The App performs some analysis on the device while resource-intensive analysis isperformed in the cloud. This approach minimizes impact on device performance and batterylife without changing the end-user experience.

2 UEM Unified Endpoint Management (generalized term replacing MDM/EMM)Device Management and Policy Enforcement System

3 SandBlast Mobile Gateway

The cloud-based SandBlast Mobile Gateway is a multi-tenant architecture to which mobiledevices are registered.The Gateway handles all Solution communications with enrolled mobile devices and with thecustomer’s (organization’s) Dashboard instance.

4 SandBlast MobileDashboard

The cloud-based web-GUI SandBlast Mobile Management Dashboard enablesadministration, provisioning, and monitoring of devices and policies and is configured as aper-customer instance.The Dashboard can be integrated with an existing Unified Endpoint Management (UEM)solution for automated policy enforcement on devices at risk.When using this integration, the UEM serves as a repository with which the Dashboard syncsenrolled devices and identities.

5 Behavioral RiskEngine

The cloud-based SandBlast Mobile Behavioral Risk Engine uses data it receives from theApp about network, configuration, and operating system integrity data, and information aboutinstalled apps to perform in-depth mobile threat analysis.The Engine uses this data to detect and analyze suspicious activity, and produces a riskscore based on the threat type and severity.The risk score determines if and what automatic mitigation action is needed to keep a deviceand its data protected.No Personal Information is processed by or stored in the Engine.


© 2018CheckPoint Software TechnologiesLtd. All rights reserved. | P. iv

October 17, 2018

Contents

Chapter 1 Preparing the UEM Platform for Integration 1Prerequisites 1BlackBerry UEM Console 2Creating an API Administrator Account (optional) 2Create a New Administrator User Account 3Assign New User to Administrator Role 4

Adding a User 7Adding a User fromCorporate Directory 7Adding a Local User 10Adding a Device to an Existing User 12

Creating User Provisioning Groups 13Information about Device Risk & Status tags and BlackBerry UEMuser groups 13Creating a User Group based on Corporate User Directory 16Creating Local User Group(s) 18Adding an Existing User to the Local User Group 19Adding a New User to an Existing Local User Group 21

Nesting User Groups (Optional) 23Enrolling Devices to BlackBerry UEM 25

Chapter 2 Configuring the SandBlast Mobile Dashboard UEM Integration Settings 27Prerequisites 27Configuring Device Management Settings 28Multi-tags in SandBlast Mobile and Usage in BlackBerry UEM 31TagDevice Status 31Tag Device Risk 32Mitigation Group 32

Controlling the Importing of Personally Identifiable Information (PII) from the UEM 32MDM Advanced Settings 34

Chapter 3 Configuring the UEM Platform 35Prerequisites 35Configuring UEM to Deploy SandBlast Mobile Protect app 36Adding the SandBlast Mobile Protect App to Your App Catalog 36AppStore iOS App – Add to Catalog 36Android App – Add to Catalog 40

Creating an AppGroup (Optional) 44Deploying SandBlast Mobile Protect app 47Requiring the SandBlast Mobile Protect App to be Installed 48Creating a Compliance Policy 48Applying App Required Compliance Policy to User Provisioning Group 50Device Out of Compliance –Missing SandBlast Mobile Protect App 52

Creating a Mitigation Process 55Creating IT Policies 55

© 2018CheckPoint Software TechnologiesLtd. All rights reserved. | P. v

October 17, 2018


Applying the Policy to the User Mitigation Group 57Chapter 4 Registering Devices to SandBlast Mobile 59Registration of an iOS Device 60Registration of an Android Device 62Redeployment of the SandBlast Mobile Protect App – iOS 63Redeployment of the SandBlast Mobile Protect App - Android 63Resending SandBlast Mobile Activation Code 64

Chapter 5 Testing High Risk Activity Detection and Policy Enforcement 65Blacklisting a Test App 66View of Non-Compliant Device 67SandBlast Mobile Protect App Notifications 67UEMClient App Notifications 68

Administrator View on the SandBlast Mobile Dashboard 68Administrator View on the BlackBerry UEM Console 69

Appendix 70Integration Information 70


© 2018CheckPoint Software TechnologiesLtd. All rights reserved. | P. vi

October 17, 2018

Cha

pter1

Preparing the UEM Platform for Integration

This chapter discusses the following:

Prerequisites 1BlackBerry UEM Console 2Creating an API Administrator Account (optional) 2Create a New Administrator User Account 3Assign New User to Administrator Role 4

Adding a User 7Adding a User from Corporate Directory 7Adding a Local User 10Adding a Device to an Existing User 12

Creating User Provisioning Groups 13Information about Device Risk & Status tags and BlackBerry UEM user groups 13Creating a User Group based on Corporate User Directory 16Creating Local User Group(s) 18Adding an Existing User to the Local User Group 19Adding a New User to an Existing Local User Group 21

Nesting User Groups (Optional) 23Enrolling Devices to BlackBerry UEM 25

Prerequisites1. BlackBerry UEM12.6 or higher.2. For on-premise BlackBerry UEM Deployments, the port used for the UEMWebServices

API (default: TCP 18084) must be accessible remotely by the SandBlast Mobile serversthrough your firewall before trying to connect.

BlackBerry UEM ConsoleFor more or updated information regarding BlackBerry UEM, please seehttp://help.blackberry.com/en/blackberry-uem/current/

1. Login to your BB Console.

Note: During the procedures in this document there are quite a few pieces of information thatyou will need to gather or create. There is a form in "Integration Information" on page 70 that youcan record your settings for easy reference.

Creating an API Administrator Account (optional)For the interaction at the API, we will create an API admin user in the BlackBerry UEMConsole that you use tolimit the capability of the admin credentials used between the SandBlast Mobile Dashboard and the BlackBerryUEM system.

Note: It is a best practice to create such an admin account and highly recommended, but isoptional.

Note: Creating an administrator account and administrator role requires a "SecurityAdministrator" level role.

To create an "API" Administrator Account, follow this process.

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMBlackBerryUEMConsole

© 2018CheckPoint Software TechnologiesLtd. All rights reserved. | P. 2

October 17, 2018

http://help.blackberry.com/en/blackberry-uem/current/

For more or updated information, please see BlackBerry’s documentation athttp://help.blackberry.com/en/blackberry-uem/current/administration/create-administrator.html

Create a New Administrator User Account

1. Navigate toUsers, click "Add user".

2. On the "Add a user" pop-up window "Local" tab, fill in the "Display name", "Username", and an "Emailaddress" for the new user. In our example, we will create an admin username of "sbm_admin".


October 17, 2018

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMCreate a New Administrator User Account

http://help.blackberry.com/en/blackberry-uem/current/administration/create-administrator.html

3. Enter in a temporary console password for this user. When you login the first time with these credentials,you will be prompted to set a new password.

4. Scroll down and deselect the "Enable user for devicemanagement" checkbox.

5. Click "Save".

Assign New User to Administrator Role

1. Navigate toSettings > Administrators > Users, click "Add Admin".

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMAssign New User to Administrator Role


October 17, 2018

2. On the "Add an Administrator" pop-up window, search/select the user you created in "Create a NewAdministrator User Account" on page 3.

3. Click the user’s "Name".

4. Under "Assign a role" select the "Security Administrator" role.

5. Click "Save".


October 17, 2018


6. Finish the creation of the new admin account by logging out of the BlackBerry UEMConsole, and thenlogging back in using the temporary credentials you assigned to this new admin, in our example "sbm_admin / T3mp0rary123!". This will force you to select a new unique password.

7. Click "Sign In".

8. On the "New password" pop-up window, enter in a new password.

9. Click "Submit".10. On the "Find out about…" pop-up window, select "Do not show this again".11. Click "Start".12. Click "Log out".

Note: Log out and log back into the BlackBerry UEMConsole with your original Admincredentials to continue with the configuration.



October 17, 2018

Adding a UserThere are two ways to add a user, "Add a Local User", or syncwith a corporate user directory.

Note: You can integrate with your Corporate User Directory to import group and associateduser information. Imported information can be used for automatic provisioning of users, groupbased policy assignment and App distribution. Supported User Directories areMicrosoft ActiveDirectory and LDAP.

For more or updated information, please see BlackBerry’s documentation athttp://help.blackberry.com/en/blackberry-uem/current/getting-started-blackberry-uem-and-blackberry-dynamics/hse1372277059163.html

Adding a User from Corporate DirectoryIf you have configured your BlackBerry UEMConsole to integrate with your company user directory, follow thesesteps to add a user to the BlackBerry UEMConsole.



October 17, 2018

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMAdding a User

http://help.blackberry.com/en/blackberry-uem/current/getting-started-blackberry-uem-and-blackberry-dynamics/hse1372277059163.html

http://help.blackberry.com/en/blackberry-uem/current/getting-started-blackberry-uem-and-blackberry-dynamics/hse1372277059163.html

2. On the "Add a user" pop-up window "Company directory" tab, start typing the name of the user you want toadd.When the name is displayed, select it from the drop-down list.

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMAdding a User fromCorporate Directory


October 17, 2018

3. The required (*) user information such asDisplay Name, Username, and Email addresswill be filled infrom the company directory entry.


October 17, 2018

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMAdding a User fromCorporate Directory

4. Scroll down to the bottom on the pop-up window and set the "Device activation" settings as required foryour company.

5. Click "Save".

Adding a Local UserWeare going to show how to add a local user using the "Add User" method.


CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMAdding a LocalUser


October 17, 2018

2. On the "Add a user" pop-up window "Local" tab, fill in all the required (*) fields with the appropriateinformation, such as in the example below.

3. Enter in a temporary console password for this user and select "Send password to user".


October 17, 2018

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMAdding a LocalUser

4. Scroll down to the bottom on the pop-up window and set the "Device activation" settings as required foryour company.

5. Click "Save".

Note: The user is already notified with device enrollment procedures upon the creation of theuser.

Adding a Device to an Existing User

1. Navigate toUsers, scroll to or search for the user, and select that user.2. Click "Send activation email".

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMAdding a Device to an Existing User


October 17, 2018

3. On the "Set device activation password" pop-up window, Set the "Device activation" settings as requiredfor your company.

4. Click "Send".

Note: Repeat these steps to add another device.

Creating User Provisioning GroupsTo create a group of users whose deviceswill be registered to the Check Point SandBlast Mobile solution, followthis procedure.

Information about Device Risk & Status tags and BlackBerry UEM user groupsUser groups are how BlackBerry UEMapplies policies and assigns/deploys apps.

For more or updated information about adding user groups, see BlackBerry’s documentation at:

http://help.blackberry.com/en/blackberry-uem/current/getting-started-blackberry-uem-and-blackberry-dynamics/managing_user_groups_and_user_accounts.htmlSandBlast Mobile utilizes these groups tomove devices in and out of 7 pre-defined groups, and one freeformmitigation group.

There are 3 pre-defined status groups:

CHKP_Status_ProvisionedCHKP_Status_ActiveCHKP_Status_Inactive

When a device is provisioned in SandBlast Mobile Dashboard, this device is placed in the CHKP_Status_Provisioned group.

After the user has installed and registered to SandBlast Mobile, this device ismoved from the CHKP_Status_Provisioned group to the CHKP_Status_Active group.

If the device hasn’t checked-in with SandBlast Mobile for X number of days (configured by the SandBlast MobileAdmin), then the device ismoved fromCHKP_Status_Active to CHKP_Status_Inactive.


October 17, 2018

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMCreating User ProvisioningGroups

http://help.blackberry.com/en/blackberry-uem/current/getting-started-blackberry-uem-and-blackberry-dynamics/managing_user_groups_and_user_accounts.html

http://help.blackberry.com/en/blackberry-uem/current/getting-started-blackberry-uem-and-blackberry-dynamics/managing_user_groups_and_user_accounts.html

There are 4 pre-defined risk groups:

CHKP_Risk_NoneCHKP_Risk_LowCHKP_Risk_MediumCHKP_Risk_High

If a device is determined to be at High, Medium, or Low risk, the device is placed in the respective group. If thedevice has no risks, then it is placed in the CHKP_Risk_None group.

For example, if the device has a Low risk app and a High risk (malicious) SMS URL, then the device will appear inboth the CHKP_Risk_Low and CHKP_Risk_High groups.

The freeformmitigation group is any unique name, such as "Users_At_High_Risk", that SandBlast Mobile willplace only devices determined to be at High Risk. It does not provided the granularity of the different risk levels ofthe device, just high risk state. Thismethod was the original way to group devices at high risk, and it is stronglyrecommended that you implement the CHKP Risk and Status groups instead of using the freeform group.

In "Creating Local User Group(s)" on page 18, we will create these pre-defined SandBlast Mobile groups andnest them according to how wewant our corporate policies to be applied.

In our example, devices that aremembers of CHKP_Risk_High, CHKP_Risk_Medium, or CHKP_Status_Inactive will be considered to be "Users_At_Risk", and have the appropriateMitigation Policies applied as definedlater in "Creating aMitigation Process" on page 55. Devices that aremembers of CHKP_Risk_None or CHKP_Risk_Low, will not have themitigation policies applied.

See the following diagram on how polices and group nesting are applied.

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMInformation about Device Risk&Status tagsand BlackBerryUEM user groups


October 17, 2018


October 17, 2018

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMInformation about Device Risk&Status tagsand BlackBerryUEM user groups

Creating a User Group based on Corporate User DirectoryIn this section wewill create a User Group that is tied to Active Directory.

1. Navigate toGroups > User, click "Add a directory-linked group" icon.

2. On the "Add directory-linked group" pop-up window, enter in a Group Name, such as "SBM_AD_Users",and, if desired, a Group Description.

3. Click "+" sign to add a Linked directory group.

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMCreating a User Group based on Corporate User Directory


October 17, 2018

4. On the "Search company directory" pop-up window, enter in the first few letters of the corporate directorygroup you want to link, and hit enter.

5. Click "Add".

6. We haven’t created any IT policies and profiles or added Apps to our App Catalog as of yet, so wewill addthose in subsequent sections.

7. Click "Add".


October 17, 2018

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMCreating a User Group based on Corporate User Directory

Creating Local User Group(s)In this section, we will create all of the User Groupswe need for Provisioning, Monitoring, andMitigation. Thesegroups are:

Optional User Groups, but recommended in order to simplify applying policies, deploying apps, andmitigating risks. Some of the required user groupswill be nested under these groups as discussed furtherin "Information about Device Risk & Status tags and BlackBerry UEMuser groups" on page 13 and in"Nesting User Groups (Optional)" on page 23.

SBM_Syncd_UsersUsers_At_Risk

Required User Group if not using AD User GroupSBM_Local_Users

Required User Groups for Integration if using Tag Device Status and Tag Device RiskCHKP_Status_ProvisionedCHKP_Status_ActiveCHKP_Status_InactiveCHKP_Risk_NoneCHKP_Risk_LowCHKP_Risk_MediumCHKP_Risk_High

1. Navigate toGroups > User, click "Add a user group" icon.

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMCreating LocalUser Group(s)


October 17, 2018

2. On the "Add a user group" pop-up window, enter in a Group Name, such as "SBM_Local_Users", and, ifdesired, a Group Description.

3. We haven’t created any IT policies and profiles or added Apps to our App Catalog as of yet, so wewill addthose in subsequent sections.

4. Click "Add".

Note: Repeat these steps to add all the user groups listed above.

Adding an Existing User to the Local User GroupTo add an existing user to the User Group we created in "Creating a User Group based on Corporate UserDirectory" on page 16 or "Creating Local User Group(s)" on the previous page, follow this procedure. Ourexample will be using the Local User group ("SBM_Local_Users").


October 17, 2018

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMAdding an Existing User to the LocalUser Group

1. Navigate toUsers, scroll and select the user you want to add to the user group, and click the "Add to usergroups" icon.

2. On the "Add to user groups" pop-up window, select the SBM_Local_Users from the "Available groups" list,can click right arrow.

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMAdding an Existing User to the LocalUser Group


October 17, 2018

3. Click "Save".

4. The User is now part of the User Group "SBM_Local_Users".

Adding a New User to an Existing Local User GroupAdding a new user to an existing user group is close to the same procedure in "Adding a User" on page 7.



October 17, 2018

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMAdding a New User to an Existing LocalUser Group

2. On the "Add a user" pop-up window "Local" tab, fill in all the required (*) fields with the appropriateinformation, such as in the example below.

3. Select the User Group from the "Available groups" list and click right arrow.

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMAdding a New User to an Existing LocalUser Group


October 17, 2018

4. Scroll down to the bottom on the pop-up window, and enter in a temporary console password for this userand select "Send password to user".

5. Set the "Device activation" settings as required for your company.

6. Click "Save".

Note: The user is already notified with device enrollment procedures upon the creation of theuser.

Nesting User Groups (Optional)Wewill be nesting the user groups that we created in "Creating Local User Group(s)" on page 18 and asdiscussed in "Information about Device Risk & Status tags and BlackBerry UEMuser groups" on page 13.

This will simplify the policy enforcement.

Note: If you do not want to create nested user groups, then youmust apply the appropriatepolicies, apps, etc to each group individually as inheritance only occurs from parent group to childgroup.

In our example, we will nest our groups as follows:

SBM_Syncd_UsersCHKP_Status_ProvisionedCHKP_Status_Active


October 17, 2018

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMNesting User Groups (Optional)

CHKP_Status_InactiveUsers_At_Risk

CHKP_Risk_HighCHKP_Risk_MediumCHKP_Status_Inactive

Also, if you want devices at Low Risk to be subject to the sameNon-Compliant policies as those at High Risk,simply nest CHKP_Risk_Low under Users_At_Risk.

For more or updated information about nested groups in BlackBerry UEM, seehttp://help.blackberry.com/en/blackberry-uem/current/administration/jth1410530746516.html

1. Navigate toGroups > User, and select "Users_At_Risk" to edit it.2. Select "Nested groups" tab, and click "+".

3. On the "Add a nested group" pop-up window, select CHKP_Status_Inactive, CHKP_Risk_Medium, andCHKP_Risk_High.

4. Click "Add".

Note: Repeat these steps for adding the appropriate nested groups for SBM_Syncd_Users.

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMNesting User Groups (Optional)


October 17, 2018

http://help.blackberry.com/en/blackberry-uem/current/administration/jth1410530746516.html

Enrolling Devices to BlackBerry UEMFor iOS device, see http://help.blackberry.com/en/blackberry-uem/current/getting-started-blackberry-uem-and-blackberry-dynamics/adr1451941812493.html for more details.For Android device, see http://help.blackberry.com/en/blackberry-uem/current/getting-started-blackberry-uem-and-blackberry-dynamics/adr1451941820349.html for more details.

Note: At this point, we have all the information wewill need to configure the UEM integrationsettings in the SandBlast Mobile Dashboard.

From Our Examples:

Server URL = https://<FQDN of BlackBerry UEMServer>:<port toWeb Services API>(ie. https://uem.acme.us:18084)SandBlast Mobile API Admin Username/Password = sbm_admin/<hidden>User Provisioning Group(s) = SBM_Local_Users; SBM_AD_Users


October 17, 2018

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMEnrolling Devices to BlackBerryUEM

http://help.blackberry.com/en/blackberry-uem/current/getting-started-blackberry-uem-and-blackberry-dynamics/adr1451941812493.html




Cha

pter2

Configuring the SandBlast Mobile Dashboard UEMIntegration Settings


Prerequisites 27Configuring Device Management Settings 28Multi-tags in SandBlast Mobile and Usage in BlackBerry UEM 31Tag Device Status 31Tag Device Risk 32Mitigation Group 32

Controlling the Importing of Personally Identifiable Information (PII) from the UEM 32MDM Advanced Settings 34

PrerequisitesYouwill need the following details from your BlackBerry UEMDeployment:

Note: There is a table in "Integration Information" on page 70 that you can recordyour settings for easy reference.

1. Server: The root URL to your BlackBerry UEMWeb Services API including the leading https://, suchas https://uem.acme.us:18084

2. SRP ID: This is the SRP ID from BlackBerry licensing registered to your instance, in the form ofS12345678. This value can be found by going to BlackBerry UEM Console > Help > AboutBlackBerry UEM.

3. BlackBerry UEM SandBlast Mobile Administrator Username and Password: These are theAdmin credentials that the SandBlast Mobile Dashboard will use to connect to the UEM. Youmayhave created a special API Admin account in "Creating an API Administrator Account (optional)" onpage 2 for this purpose.

4. Groups(s): These are the BlackBerry UEM user provisioning groups to which the users/devices to beregistered to SandBlast Mobile are grouped, and will be integrated with the SandBlast MobileDashboard. Multiple groups can be integrated with the one SandBlast Mobile Dashboard instance byentering each group name separated with a semicolon (;). These are the User Provisioning Groups wecreated in "Creating User Provisioning Groups" on page 13 ("SBM_Local_Users; SBM_AD_Users").

5. Mitigation Group: This field will not be used as wewill be using the CHKP Risk and Status tags, asdefined in "Creating Local User Group(s)" on page 18.

6. For on-premise UEM environments, the BlackBerry UEMWeb Services port (TCP 18084) must beremotely accessible through your firewall from the SandBlast Mobile Dashboard to the UEM systembefore trying to connect.

7. Delete any existing devices in the SandBlast Mobile Dashboard, and ensure that any devices that areto be enrolled via BlackBerry UEM integration are removed from other SandBlast Mobile Dashboards.

Note: Only the devices are synchronized fromBlackBerry UEM to the SandBlastMobile Dashboard, not users. If a user doesn't have a device enrolled, theirinformation will not be synchronized to the SandBlast Mobile Dashboard.

Configuring Device Management Settings1. Navigate toSettings > Device Management > Setting.2. Select "BlackBerry UEM" from the "MDM service" drop-downmenu under the DeviceManagement

Settings area.

3. A pop-up window will open.

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMConfiguring DeviceManagement Settings


October 17, 2018

4. Configure the settings as are appropriate for your BlackBerry UEMDeployment, such as those you havecreated in "Preparing the UEMPlatform for Integration" on page 1.

5. Turn ON the "Tag Device Status" and "Tag Device Risk" toggles. Additional information regarding thesetags can be found in "Information about Device Risk & Status tags and BlackBerry UEMuser groups" onpage 13 and in "Multi-tags in SandBlast Mobile and Usage in BlackBerry UEM" on page 31.

6. If your organization does not want to import any of the Personally Identifiable Information (PII), thesetoggles can be turnedOFF for Owner Name, Phone Number, and/or Owner Email address. See additionalinformation in "Controlling the Importing of Personally Identifiable Information (PII) from the UEM" onpage 32.


October 17, 2018


7. If the BlackBerry UEM instance is self-signed, you can upload the 64Base Certificate information to theSandBlast Mobile server by turning on "Advanced options", by click "Upload Certificate" and selecting theBase64 certificate you saved from your UEM instance’sWeb Services page (i.e.https://uem.acmecorp.us:18084).

8. Click "Verify". If the settings are correct, and the SandBlast Mobile Dashboard can communicate with theBlackBerry UEM system, you will be able to click "Save" to finish configuration.



October 17, 2018

9. After successful configuration and sync, the "Devices" tab will show the devices added to SandBlast Mobileand their status as "Provisioned" which indicates that they have not yet tried to register to the SandBlastMobile Dashboard.

Multi-tags in SandBlast Mobile and Usage in BlackBerry UEMRecently added to SandBlast Mobile Dashboard for UEM integrations is the concept of multi-tags.

Themulti-tags are built-in tags that SandBlast Mobile will use to indicate the different registration states (CHKP_Status) and the different risk levels (CHKP_Risk) to which the devices can bemarked. This allows theAdministrators on the UEM to configure granular compliance policies based on device registration status or risklevel. These tags are created as "user groups" in BlackBerry UEM.

There are 3 Status states:

Status Description

CHKP_Status_Provisioned When a device is synchronized for the first time in SandBlast MobileDashboard

CHKP_Status_Active After the user has installed and registered to SandBlast Mobile

CHKP_Status_Inactive If the device hasn’t checked-in with SandBlast Mobile for X number of days(configured by the SandBlast Mobile Admin)

There are 4 pre-defined Risk levels:

CHKP_Risk_NoneCHKP_Risk_LowCHKP_Risk_MediumCHKP_Risk_High

For example, if the device has a Low risk app and a High risk (malicious) SMS URL, then the device will bemarked as at High Risk (CHKP_Risk_High = 1) and at Low Risk (CHKP_Risk_Low = 1). Once the High Riskissue has been remediated (SMS deleted), then the CHKP_Risk_High will be set to 0. Once the Low Risk issuehas been remediated, the CHKP_Risk_Low will be set to 0.

Tag Device StatusFor integration with BlackBerry UEM, the Device Status Tag are interpreted as "user groups" of "CHKP_Status_Provisioned", "CHKP_Status_Active", or "CHKP_Status_Inactive" which will have an either "0" or "1" when set.

Wewill use the CHKP_Status user groups to determine when to prompt the user to install the SandBlast MobileProtect app on their device. If the none of CHKP_Status user groups haven’t been set yet for a device, then thedevice has not been synced with SandBlast Mobile Dashboard.


October 17, 2018

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMMulti-tags in SandBlast Mobile and Usage in BlackBerryUEM

Tag Device RiskFor integration with BlackBerry UEM, the Device Risk tags are interpreted as "user groups" of "CHKP_Risk_None", "CHKP_Risk_Low", "CHKP_Risk_Medium", and "CHKP_Risk_High" with the values of "0" or "1".

Wewill use the CHKP_Risk user groups to determine when to enact certain policies or actions on the device. Asan example, if CHKP_Risk_High is set to "1", then the device will be sent an in-app notification and blocked fromrunning corporate apps or connecting to corporate assets.

Mitigation GroupThe free-formMitigation group is any unique name, such as "SBM_HighRisk", that SandBlast Mobile will placeonly devices determined to be at High Risk.

Note: Thismitigation groupmust be created as a "user group" in BlackBerry UEMprior to using.

Please note that theMitigation group does not provided the granularity of the different risk levels of the device,just high risk.

Thismethod was the original way to group devices at high risk, and it is strongly recommended that youimplement the CHKP_Risk and CHKP_Status user groups instead of using the free-formMitigation group.

Controlling the Importing of Personally Identifiable Information (PII) from the UEMThe PII for devices (users) can be limited from being imported to SandBlast Mobile by configuring the "ImportPersonally Identifiable Information (PII)" section.

If all entries are turned off, then a placeholder information set for the email addresswill be placed in the DeviceOwner’s Email, in the form of "Device UDID@mdm_vendor", such as [email protected].

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMTagDevice Risk


October 17, 2018

1. PII Control is configured in theSettings > Device Management > Setting > MDM service pop-upwindow.

2. Turning off PII Import, will result in the following Devices display in SandBlast Mobile.


October 17, 2018

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMControlling the Importing of Personally Identifiable Information (PII) from the UEM

MDM Advanced SettingsWhen aUEMService is configured, the DeviceManagement Advanced Settings are automatically configuredbased on recommendations of the selected UEMprovider, in this case fromBlackBerry UEM.

1. Navigate toSettings > Device Management > Advanced, andmake any appropriate changes.

Setting Description

Device sync interval Interval to connect with UEM to sync devices.Values: 10-1440minutes, in 10minute intervals

Device deletion threshold Percentage of devices allowed for deletion after UEM device sync.100% for no threshold

Deletion delay intervalDelay device deletion after sync – device will not be deleted if it will be re-sync from UEM during the threshold interval.Values: 0-48 hours

App sync interval Interval to connect with UEM to sync app list.Values: 10-1440minutes, in 10minute intervals

Note: If youmake changes to the default settings, click "Save" to have changes take effect.

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMMDMAdvanced Settings


October 17, 2018

Cha

pter3

Configuring the UEM Platform

Now the we have completed the integration steps, we can continue with the configuration of theUEMplatform.

For this processwewill return to the BlackBerry UEMConsole to complete the configuration.


Prerequisites 35Configuring UEM to Deploy SandBlast Mobile Protect app 36Adding the SandBlast Mobile Protect App to Your App Catalog 36AppStore iOS App – Add to Catalog 36Android App – Add to Catalog 40

Creating an App Group (Optional) 44Deploying SandBlast Mobile Protect app 47Requiring the SandBlast Mobile Protect App to be Installed 48Creating a Compliance Policy 48Applying App Required Compliance Policy to User Provisioning Group 50Device Out of Compliance – Missing SandBlast Mobile Protect App 52

Creating a Mitigation Process 55Creating IT Policies 55Applying the Policy to the User Mitigation Group 57

Prerequisites1. BlackBerry UEM12.6 or higher.2. For on-premise BlackBerry UEM Deployments, the port used for the UEMWebServices

API (default: TCP 18084) must be accessible remotely by the SandBlast Mobile serversthrough your firewall before trying to connect.

Configuring UEM to Deploy SandBlast Mobile Protect appFor more or updated information, please see BlackBerry’s documentation athttp://help.blackberry.com/en/blackberry-uem/current/getting-started-blackberry-uem-and-blackberry-dynamics/zfd1473950276026.html

Adding the SandBlast Mobile Protect App to Your App CatalogNow that BlackBerry UEMandCheck Point SandBlast Mobile Dashboard are communicating, we can now startdeploying the SandBlast Mobile Protect app to those devices that will be protected byCheck Point SandBlastMobile.

Wewill need to add the App for both iOS and Android operating systems.

AppStore iOS App – Add to CatalogFor the iOS app, BlackBerry UEM can automatically deploy and configure the SandBlast Mobile Protect appregistration server and key on an iOS device. It does require the user to launch the SandBlast Mobile Protect appto finish device registration. There are two possible deployment scenarios for iOS, using the Apple App Store appor the Enterprise iOS app that has been signed by your organization. This procedure describes deploying theApple App Store app.

1. Navigate toApps > Apps, and click the icon.

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMConfiguring UEM to DeploySandBlast Mobile Protect app


October 17, 2018

http://help.blackberry.com/en/blackberry-uem/current/getting-started-blackberry-uem-and-blackberry-dynamics/zfd1473950276026.html

http://help.blackberry.com/en/blackberry-uem/current/getting-started-blackberry-uem-and-blackberry-dynamics/zfd1473950276026.html

2. Select "iTunes" from the Store List.

3. In the "App" field, enter "SandBlast Mobile Protect", select the appropriate store for your country, and click"Search" to search the store.

4. Select SandBlast Mobile Protect app as indicated below by clicking the "Add".


October 17, 2018

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMAppStore iOSApp – Add to Catalog

5. A pop-up an AppConfiguration window for "SandBlast Mobile Protect" will open.



October 17, 2018

6. Scroll down to bottom of the screen, and click "+" on the right-hand side of the "App configuration" table.7. Select "Configuremanually" from the drop-down.


October 17, 2018


8. On the "SandBlast Mobile Protect" configuration pop-up window, enter in an App configuration name.9. Click "+" and select "String" twice.10. Add the following Key/Value pairs:

Key Type Value

Lacoon Server Address string gw.locsec.net

Device Serial Number string %SerialNumber%

11. Click "Save".12. Click "Add" to finish adding the app to the app catalog.

Android App – Add to CatalogBlackBerry UEM can automatically deploy, but not configure the SandBlast Mobile Protect app registrationserver and key on an Android device. Completing deployment requires the user to launch the SandBlast MobileProtect app to finish device registration, by entering the registration server and registration key the user receivedvia email.

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMAndroid App – Add to Catalog


October 17, 2018

1. Navigate toApps > Apps, and click the icon.

2. Select "Google Play App" from the Store List.


October 17, 2018


3. Click "OpenGoogle Play" and search for the app that you want to add. You can then copy and pasteinformation fromGoogle Play in the following steps and also download icons and screen shots.

4. In the App name field, type the app name, "SandBlast Mobile Protect".5. In the App description field, type a description for the app.6. In the Vendor field, type the name of the app vendor, "Check Point Software Technologies, Ltd."7. In the App icon field, click Browse. Locate and select an icon for the app. The supported formats are .png,

.jpg, .jpeg, or .gif.

Note: Do not useGoogle Chrome to download the icon because an incompatible .webp image isdownloaded.



October 17, 2018

8. In the App web address fromGoogle Play field, type the web address of the app in Google Play.a. https://play.google.com/store/apps/details?id=com.lacoon.security.fox

9. Click "Add".


October 17, 2018


Creating an App Group (Optional)This is an optional step, but does provide amethod of organizing Apps.

1. Navigating toApps > App groups, click the icon.

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMCreating an AppGroup (Optional)


October 17, 2018

2. On the "Add app group" pop-up window, enter in a name for the App group.3. Click "+" on the "Assigned apps" section.


October 17, 2018


4. Enter in SandBlast into the Search box, and select the Android and iOS versions of the SandBlast MobileProtect app.

5. Set the App configuration to "iOS Protect" for the iOS app.

6. Click "Add".



October 17, 2018

Deploying SandBlast Mobile Protect appTo deploy the SandBlast Mobile Protect app to devices that will be registered to the Check Point SandBlastMobile solution we need to link the SandBlast Mobile Protect app in our app catalog to the User Groupswecreated in "Creating User Provisioning Groups" on page 13.

1. Navigating toGroups > User, click name of the User Provisioning Group, in our example "SBM_Syncd_Users".

2. Click Settings tab.

3. Click "+" on the "Assigned apps" section.

4. On the "Assign app" pop-up window, select the AppGroup we created in "Creating an AppGroup(Optional)" on page 44. If you didn't create an AppGroup, you would select both SandBlast Mobile Protectapps and assign them directly, selecting the iOS Configuration.

5. Click "Next".


October 17, 2018

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMDeploying SandBlast Mobile Protect app

6. Set the "Disposition" to "Required" for the AppGroup.

7. Click "Assign".

Note: Repeat the steps in this section for "Users_At_Risk". This will prompt the users whobelong to "SBM_Syncd_Users" to install the SandBlast Mobile Protect app. Also, those userswho are in the "Users_At_Risk" who uninstall the SandBlast Mobile Protect app will be out ofcompliance.

Note: Repeat the steps in this section for "SBM_AD_Users" and "SBM_Local_Users", butchange the "Disposition" to "Optional" instead of "Required".

Requiring the SandBlast Mobile Protect App to be InstalledThe SandBlast Mobile Protect app is required by creating a Compliance Policy for iOS and Android devices, thenassigning this compliance policy to the User Provisioning Group we created in "Creating User ProvisioningGroups" on page 13.

Creating a Compliance PolicyThe policy will specify the actions taken on all SandBlast Mobile devices that do not have required apps, such asSandBlast Mobile Protect, installed.

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMRequiring the SandBlast Mobile Protect App to be Installed


October 17, 2018

1. Navigate toPolicies and profiles, and click the "Add a profile" link under "Compliance".

2. Enter a Name for the policy, such as "Missing Required Apps", enter a description, and select the "iOS"tab.

3. Select "Required app is not installed" and set appropriate actions to be taken if the user doesn’t install theapp.


October 17, 2018

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMCreating a Compliance Policy

4. Select the "Android" tab.5. Select "Required app is not installed" and set appropriate actions to be taken if the user doesn’t install the

app.

6. Click "Add".

Applying App Required Compliance Policy to User Provisioning GroupThe policies created in the previous section are assigned to the user provisioning group created in "Creating UserProvisioning Groups" on page 13, in our example "SBM_AD_Users" and "SBM_Local_Users". Because theusers will remain in the "SBM_AD_Users" or "SBM_Local_Users" group while their devices are synchronizedwith SandBlast Mobile, the policies will remain in effect for all other user groups they belong to as long as they arenot removed from this group.

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMApplying App Required Compliance Policy to User ProvisioningGroup


October 17, 2018

1. Navigate toGroups > User, locate the user provisioning group, click group’s name link.2. Select the "Settings" tab, and click "+" in the "IT policy and profiles" section.3. Select "Compliance" from the pop-up list.

4. On the "Assign a Compliance profile" pop-up window, select the "Compliance Policy" we created in theprevious section.

5. Click "Assign".

Note: Repeat these steps for "SBM_Local_Users", if you are using it.


October 17, 2018

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMApplying App Required Compliance Policy to User ProvisioningGroup

Note: Any device that belongs to the User Provisioning Group(s) which require the SandBlastMobile Protect apps to be installed ("SBM_Syncd_Users" and "Users_At_Risk") that hasn’tinstalled the SandBlast Mobile Protect app will be out of compliance.

Device Out of Compliance – Missing SandBlast Mobile Protect App

1. BlackBerry UEMConsole HomeScreen indicates an "Out of Compliance" issue.

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMDevice Out of Compliance –Missing SandBlast Mobile Protect App


October 17, 2018

2. Clicking on the "Non-compliant" pie piece, opens a reporting window.

3. Device Details View indicates an "Out of Compliance" issue.


October 17, 2018


4. The user will receive an alert email as well as an in-app notification.



October 17, 2018

Creating a Mitigation ProcessIn this procedure, you will create amitigation policy set to enforce compliance andmitigation policies againstthose devices that belong to the Users_At_Risk group.

For more or updated information regarding IT Policies, please see BlackBerry’s documentation athttp://help.blackberry.com/en/blackberry-uem/current/administration/ksa1373387706292.html andhttp://help.blackberry.com/en/blackberry-uem/current/administration/it-policies.html

Creating IT PoliciesWewill create IT Policies that will be enforced on devices that are at risk. In this section, we will create an ITPolicy that will be used to enforce restrict the At Risk device in somemanner.

Note:Wewill show a example policy, but these enforcement policies are something that thecustomer should create for their environment and needs. In a production environment, thecustomer should configure the compliance and IT policies according to their internal securitypolicy.

The policy will specify the actions taken on At Risk devices. In our example, we will disable the camera, but youmight create a policy that disables access to the corporate network or assets.

1. Navigate toPolicies and profiles, and click the "Add an IT policy" link under "IT policies".

2. Enter a Name for the policy, such as "High Risk Device Policy", select the "iOS" tab.3. Under "Device functionality", unselect "Allow use of camera".


October 17, 2018

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMCreating aMitigation Process

http://help.blackberry.com/en/blackberry-uem/current/administration/ksa1373387706292.html

http://help.blackberry.com/en/blackberry-uem/current/administration/it-policies.html

4. Select the "Android" tab.5. Under "Native OS > Device functionality", select "Disable camera".

6. Scroll to "KNOXMDM> Device functionality", unselect "Allow camera".

7. Scroll to "KNOX Premium –Workspace > Device functionality", unselect "Allow camera".

8. Scroll to the bottom of the screen and click "Add".

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMCreating IT Policies


October 17, 2018

Applying the Policy to the User Mitigation GroupNow that we have created the policy ("High Risk Device Policy") we want to enforce, we need to link this policy toour User Mitigation Group ("Users_At_Risk") we created in "Creating Local User Group(s)" on page 18.

1. Navigate toGroups > User groups, find the user mitigation group you created in "Creating Local UserGroup(s)" on page 18, in our example "Users_At_Risk", and click group name link.

2. On the user mitigation group detailed view, click the "Settings" tab.3. On the "Settings" tab, click "+" on the "IT policy and profiles" section.4. Select "IT policy".

5. On the "Assign an IT policy" pop-up window, select the IT policy we created in "Creating IT Policies" onpage 55, in our example "High Risk Device Policy".

6. Click "Assign".


October 17, 2018

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMApplying the Policy to the User Mitigation Group

Note: Now any device placed into the user groups, CHKP_Risk_High, CHKP_Risk_Medium orCHKP_Status_Inactive, which are nested under Users_At_Risk will have the policy actions inthe IT Policy ("High Risk Device Policy") acted upon it.

7. When all of these steps have been completed, your User Groupswill look something like this:

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMApplying the Policy to the User Mitigation Group


October 17, 2018

Cha

pter4

Registering Devices to SandBlast Mobile

In this chapter we will cover the user experience of device registration with SandBlast Mobile.


Registration of an iOS Device 60Registration of an Android Device 62Redeployment of the SandBlast Mobile Protect App – iOS 63Redeployment of the SandBlast Mobile Protect App - Android 63Resending SandBlast Mobile Activation Code 64

Registration of an iOS DeviceAfter the device is registered to the BlackBerry UEM system and the SandBlast Mobile Protect app has been"Assigned" to the User Provisioning Group ("SBM_Syncd_Users"), the user will be prompted to install theSandBlast Mobile Protect App. Users will be automatically assigned to "SBM_Syncd_Users" when their devicehas been provisioned within SandBlast Mobile. This keeps the users of experiencing registration issues if there isa time lag between device enrollment to BlackBerry UEMand that device being synchronized to the SandBlastMobile Dashboard.

1. The user is prompted to install SandBlast Mobile Protect.2. The user taps "INSTALL".3. After the App has been installed on the iOS Device, the user only needs to launch the App to finish the

registration.

4. The user will be prompted to install the SandBlast Mobile Protect App. The user taps "INSTALL".5. After the App has been deployed on the iOS Device, the user only needs to launch the App to finish the

registration. The registration server and key are automatically configured in the App by BlackBerry UEM.6. The user is prompted to enable Notifications, Location, and Network Security.

7. Continue with enabling Network Security, and tap "Allow" to allow SandBlast Mobile Protect to add theneeded VPN Configuration profile.

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMRegistration of an iOSDevice


October 17, 2018

8. The user is prompted to enable SMS Phishing Protection.

9. Continue through Settings > Messages > Unknown & Spam, andmake sure that SMS Phishing > Protectis enabled.

10. Returning to SandBlast Mobile Protect, tap "Done" to initialize the scanning of the device.11. Once the App is done scanning the system, it will display the state of the device. In this case, the device is

without malicious or high risk apps, network andOS threats.


October 17, 2018

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMRegistration of an iOSDevice

Registration of an Android DeviceAfter the device is registered to the BlackBerry UEM system and the SandBlast Mobile Protect app has been"Assigned" to the User Provisioning Group ("SBM_Syncd_Users"), the user will be prompted to install theSandBlast Mobile Protect App.

1. The user is prompted by the UEM client to install the SandBlast Mobile Protect app, tapping "OK".

2. The user taps the "INSTALL", and taps "ACCEPT" to accept the permissions of the App. The App installs.3. After the App is installed, the user must launch the App to finish its deployment and registration to Check

Point SandBlast Mobile.4. The App will automatically register.

5. The user is prompted to allow SandBlast Mobile Protect to make andmanage phone calls. Tap "Allow".6. The user is prompted to turn on Location, SMS, and Network Protection features. Tap "Allow all required

permissions".7. Tap "OK" to allow SandBlast Mobile Protect to configure a VPN connection. This is necessary for the

Network Security Protection features of Safe Browsing and Anti-Phishing to work.8. Tap "Allow" to allow SandBlast Mobile Protect to access this device's location.

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMRegistration of an Android Device


October 17, 2018

9. Tap "Allow" to allow SandBlast Mobile Protect to provide SMS protection.10. Tap "Enable" to configure Accessibility permissions for SandBlast Mobile Protect.11. Scroll down and tap "SandBlast Mobile". and tap the toggle to turn Accessibility ON.

12. Continue with configuring the Accessibility permissions for SandBlast Mobile Protect. Tap "OK".13. Return to SandBlast Mobile Protect.14. Once the App is done scanning the system, it will display the state of the device. In this case, the device is

without malicious or high risk apps, network andOS threats.

Redeployment of the SandBlast Mobile Protect App – iOSIf the user removes the SandBlast Mobile Protect app, the device will be out of compliance. Because the iOS appis auto-configured, the user only needs to open the BlackBerry UEM client App Catalog, and choose to installSandBlast Mobile Protect.

Note: The instructions for installing and registration of the SandBlast Mobile Protect app aredescribed in "Registration of an iOS Device" on page 60.

Redeployment of the SandBlast Mobile Protect App - AndroidIf the user removes the SandBlast Mobile Protect app, the device will be out of compliance. Because the Androidapp is auto-configured, the user only needs to open the BlackBerry UEM client App Catalog, and choose to installSandBlast Mobile Protect.


October 17, 2018

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMRedeployment of the SandBlast Mobile Protect App – iOS

Note: The instructions for installing and registration of the SandBlast Mobile Protect app aredescribed in "Registration of an Android Device" on page 62.

Resending SandBlast Mobile Activation CodeIf the user requires the activation registration email/SMS to be resent to them, the administrator will log into theSandBlast Mobile Dashboard.

1. Navigating to the Devices tab, select the device to which to send activation code, and click "Sendactivation".

2. On the pop-up "Send ActivationMessage" window, select the type of message, and click "Send". If thedevice has a phone number assigned, themessage could be sent via SMS text message aswell.

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMResending SandBlast Mobile Activation Code


October 17, 2018

Cha

pter5

Testing High Risk Activity Detection and Policy Enforcement

If the user’s device is determined to be at risk either due to amalicious app or malicious activity, theSandBlast Mobile system notifies the User via in-app notifications aswell as updates the risk state tothe BlackBerry UEM system for that device.

BlackBerry UEM receives the group assignment change, and applies any policies belonging to thatgroup (either by direct or indirect assignment).

In the following example, the Administrator will blacklist an app, such as in our example "Dropbox".As a result, all the deviceswith the app, "Dropbox", installed will be identified to be at High Risk(CHKP_Risk_High) due to the blacklisted app, "Dropbox". The SandBlast Mobile Dashboard willnotify the user, andmark the device as belonging to the CHKP_Risk_High group to the BlackBerryUEM system. The BlackBerry UEMSystemwill then enforce policy actions specified in the IT policy,in our example "High Risk Device Policy". Thismitigation processwas the one we created in"Creating aMitigation Process" on page 55.


Blacklisting a Test App 66View of Non-Compliant Device 67SandBlast Mobile Protect App Notifications 67UEM Client App Notifications 68

Administrator View on the SandBlast Mobile Dashboard 68Administrator View on the BlackBerry UEM Console 69

Blacklisting a Test AppThe first step is to blacklist an app, in our example "Dropbox". By blacklisting this app, all release version andOStypeswill also be blacklisted. In our example, Dropbox for Android will be blacklisted which will result in allDropbox numbered release versions for Android to be blacklisted aswell, unless the "Apply only to this version"checkbox is selected.

1. Log into the SandBlast Mobile Dashboard.2. Navigate toApp Analysis tab, and search for the app you wish to blacklist, in our example "Dropbox".

3. Click "Policy" link of "Default".

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMBlacklisting a Test App


October 17, 2018

4. On the "Changing application policy" pop-up window, select "Black Listed" from the "New policy" drop-downmenu, and enter a reason for this change in the "Audit Trail note".

5. Click "OK".

View of Non-Compliant DeviceSandBlast Mobile Protect App Notifications

1. The user receives a SandBlast Mobile Protect notification indicating that the blacklisted app is not allowedbyCorporate Policy, in our example "Dropbox".

2. Once the issue has been remediated by the user, the systemwill update the security posture.


October 17, 2018

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMView of Non-Compliant Device

UEM Client App Notifications

1. The user will not be able to use the device’s camera, as specified in the compliance actions (policy) wecreated in "Creating IT Policies" on page 55, in our example "High Risk Device Policy" until the userremoves the blacklisted app.

2. Your policy will probably block the device’s access to corporate networks and data by disabling VPNprofiles, connections to email, and/or connecting to the CorporateWi-Fi, until the issue is remediated.

Administrator View on the SandBlast Mobile Dashboard1. From the SandBlast Mobile Dashboard, the Administrator will see that there are devices at high risk.

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMUEMClient App Notifications


October 17, 2018

2. Clicking the High Risk will display a list of devices at high risk.3. Selecting the desired device from the left-side list, the Administrator can see that the high risk state is

caused by the existence of the blacklisted app, "Dropbox".

Administrator View on the BlackBerry UEM Console1. In the BlackBerry UEMConsole, in the User Device Detail screen the Administrator can see that the user

is now amember of the "CHKP_Risk_High" group and indirectly amember of the "Users_At_Risk" group,and that the IT policy "High Risk Device Policy" has been assigned.


October 17, 2018

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMAdministrator View on the BlackBerryUEMConsole

Appendix

Integration InformationInformation Name Value

UEM Server URL

UEM Web Services URL

UEM SRP ID

UEM SandBlast Mobile Admin Username

UEM SandBlast Mobile Admin Password

UEM Group(s)

UEM Mitigation Group

Tag Device Status (Boolean tags) becomeuser groups in UEM

CHKP_Status_Provisioned, CHKP_Status_Active,CHKP_Status_Inactive

Tag Device Risk (Boolean tags) becomeuser groups in UEM

CHKP_Risk_None, CHKP_Risk_Low, CHKP_Risk_Medium, CHKP_Risk_High

SandBlast Mobile Gateway gw.locsec.net

SandBlast Mobile App Name (iOS) SandBlast Mobile Protect

SandBlast Mobile App ID (iOS) com.checkpoint.capsuleprotect

SandBlast Mobile App Name (Android) SandBlast Mobile Protect

SandBlast Mobile App ID (Android) com.lacoon.security.fox

CheckPoint SandBlast Mobile UEM Integration Guide | BlackBerryUEMAppendix


October 17, 2018

For more information, visit checkpoint.com/mobilesecurity

CONTACT USWorldwide Headquarters | 5 Ha’Solelim Street, Tel Aviv 67897, Israel | Tel: 972-3-753-4555 | Fax: 972-3-624-1100 | Email: [email protected]

U.S. Headquarters | 959 Skyway Road, Suite 300, San Carlos, CA 94070 | Tel: 800-429-4391; 650-628-2000 | Fax: 650-654-4233 | www.checkpoint.com

check point sandblast mobile uem integration guide with ... · 3....

Documents